Home

Awesome

BullseyePolytopePosioning

This repository provides datasets and codes that are needed to reproduce the experiments in the paper Bullseye Polytope: A Scalable Clean-Label Poisoning Attack with Improved Transferability.

If you find this code useful for your research you may cite

@article{aghakhani2020bullseye,
  title={Bullseye Polytope: A Scalable Clean-Label Poisoning Attack with Improved Transferability},
  author={Aghakhani, Hojjat and Meng, Dongyu and Wang, Yu-Xiang and Kruegel, Christopher and Vigna, Giovanni},
  journal={arXiv preprint arXiv:2005.00191},
  year={2020}
}

Implementation Notes

Bullseye Polytope is from the same family as Convex Polytope. We highly recommend you reading this paper as well. The authors of Convex Polytope released the source code along with the substitute networks that they are used. Our source code is built on top of Convex Polytope. In addition to these substitute networks, we release the (missing) networks that we trained in order to conduct our experiments. The experiments have been done using PyTorch-v1.3.1 over Cuda 10.1. We ran all the attacks using NVIDIA Titan RTX graphics cards.

Prerequisites

Before anything, download our datasets from here, which contains the split of CIFAR10 dataset and the Multi-View Car Dataset.

Then, download the substitute and victim models that we used for our experiments from here. You can also train any model with train_cifar10_models.py where models/* modules are originally coming from kuangliu. One example is:

python train_cifar10_models.py --gpu 0 --net DPN92 --train-dp 0.3  --sidx 0 --eidx 4800

Experiments

We have five different class of experiments in the single-target setting. You need to call the craft_poisons_transfer.py module to perform all the attacks. You can look at the source code to see the extensive list of arguments. We list here the important ones:

In order to evaluate one instance of the attack against individual victim networks, you can use eval_poisons_transfer.py. Just to make sure that you pass the right value for --eval-poisons-root argument, which needs to be the directory containing the attack results of one particular method for all the targets (i.e., the target index should not be part of the path). For all the next following experiments, we have provided you with basic scripts, assuming you are using GPU, but you can easily tweak them if you want to use CPU.

Now, let's back to the experiments.

1. Experiments, in which, the attacker has complete knowledge of the training set that is used to build the victim's feature extractor network. Note that the attacker still doesn't know what is the fine-tuning dataset (except for the added poisons). To lunch these experiments you may use launch/attack-transfer-18.sh and launch/attack-end2end-12.sh. To evaluate the victims against the poisons generated by the attacks, you may use launch/eval-transfer.sh and launch/eval-end2end.sh. The following script runs the Convex Polytope attack for the 17-th target (on GPU 0) in both transfer learning scenarios, when the --net-repeat set to 1. Note 4000 shows that the attack has ran for 4000 iterations (--poison-ites 4000).

# Linear transfer learning
bash launch/attack-transfer-18.sh 0 convex 17 1
bash launch/eval-transfer.sh 0 17 attack-results/100-overlap/linear-transfer-learning/convex/4000/

# End-to-end training, --poison-ites by default is set to 1500.
bash launch/attack-end2end-12.sh 0 convex 17 1
bash launch/eval-end2end.sh 0 17 attack-results/100-overlap/end2end-training/convex/1500/

Once you ran all the attacks for all the target indices that you want, to do further analysis (generate the reports/plots in the paper), you may use analysis/compare-attacks-100-overlap-linear-transfer-learning.sh and analysis/compare-attacks-100-overlap-end2end-training.sh.

2. Experiments, in which, the attacker has 50% knowledge of the training set that is used to build the victim's feature extractor network. To lunch these experiments you may use launch/attack-transfer-difftraining-50.sh and launch/attack-end2end-difftraining-50.sh. To evaluate the victims against the poisons generated by the attacks, you may use launch/eval-difftraining.sh and launch/eval-difftraining.sh.

The following script runs the Bullseye Polytope attack for the 17-th target (on GPU 0) in both transfer learning scenarios, when the --net-repeat set to 3. Note 1500 shows that the attack has ran for 1500 iterations (--poison-ites 1500).

# Linear transfer learning
bash launch/attack-transfer-difftraining-50.sh 0 mean 17 3
bash launch/eval-difftraining.sh 0 17 attack-results/50-overlap/linear-transfer-learning/mean-3Repeat/1500

# End-to-end training
bash launch/attack-end2end-difftraining-50.sh 0 mean 17 3
bash launch/eval-difftraining.sh 0 17 attack-results/50-overlap/end2end-training/mean-3Repeat/1500

Once you ran all the attacks for all the target indices that you want, to do further analysis (generate the reports/plots in the paper), you may use analysis/compare-attacks-50-overlap-linear-transfer-learning.sh and analysis/compare-attacks-50-overlap-end2end-training.sh. Just note that, due to the high cost of running these attacks (especially Convex Polytope), as of now, we did not include the results of end-to-end training in this setting. We have plans to do that in near future.

3. Experiments, in which, the attacker has 0% knowledge of the training set that is used to build the victim's feature extractor network. To lunch these experiments you may use launch/attack-transfer-difftraining-0.sh and launch/attack-end2end-difftraining-0.sh. To evaluate the victims against the poisons generated by the attacks, you may use launch/eval-difftraining.sh and launch/eval-difftraining.sh.

The following script runs the Bullseye Polytope attack for the 17-th target (on GPU 0) in both transfer learning scenarios, when the --net-repeat set to 1. Note 1500 shows that the attack has ran for 1500 iterations (--poison-ites 1500).

# Linear transfer learning
bash launch/attack-transfer-difftraining-0.sh 0 mean 17 1
bash launch/eval-difftraining.sh 0 17 attack-results/50-overlap/linear-transfer-learning/mean/1500

# End-to-end training
bash launch/attack-end2end-difftraining-0.sh 0 mean 17 1
bash launch/eval-difftraining.sh 0 17 attack-results/50-overlap/end2end-training/mean/1500

Once you ran all the attacks for all the target indices that you want, to do further analysis (generate the reports/plots in the paper), you may use analysis/compare-attacks-0-overlap-linear-transfer-learning.sh and analysis/compare-attacks-0-overlap-end2end-training.sh. Just note that, due to the high cost of running these attacks (especially Convex Polytope), as of now, we did not include the results of end-to-end training in this setting. We have plans to do that in near future.

4. Experiments to back our intuition behind the "Bullseye" idea. To lunch these experiments you may use launch/run_attack_fixedcoeffs.py. This also takes care of evaluating the victim models against the poisons generated by the attacks. Finally, to do further analysis (generate the reports/plots in the paper), you may use analysis/compare_diff_fixedcoeffs.py.

The following script runs nine alternatives of Bullseye Polytope and compare them with Bullseye Polytope. This is in linear transfer learning when there is 100% overlap.

python launch/run_attack_fixedcoeffs.py

5. Until now, we how to run the experiments in single-target mode. Now it's the time for multi-target mode. Go to here.

Results

To make your life easier and to save you time/money, you can find all the detailed results of our experiments here. The results for multi-target mode can be downloaded from here. To be consistent with the code, you need to decompress this in the Multi-Target-Mode folder. You just need to be patient, as the logs are not in the perfect format. :)

If you have questions, feel free to reach us.